One of the biggest challenges that incident response teams face today is determining the scope of the cyber-attack incidents that they investigate. While software vendors and security experts have made a concentrated effort on detecting cyber-attacks (by correlating event logs, finding abnormal behavior patterns, etc.) very little effort was made to solve the problem of incident scoping. And so, in many cases, even when a cyber-attack is detected, it is handled without proper understanding of its dimensions, scope, goals and context. As a result, remediation operations are often partial and end without an actual effect: the attackers are still in the victims' network; attack operations resume, more or less, as planned; and the victims are left with a false sense of security, as they tend to believe that the incident has been stopped. In some cases, partial remediation does more harm than good, as attackers realize that they have been spotted, and—as a result—alter/improve their attack methods or rapidly exfiltrate the data that they have collected.